Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10743

@stellar/stellar-sdk is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published May 6, 2026

83

High Risk

This Affects:

JS@stellar/stellar-sdk
0.0.1 - 15.0.1
Fixed in 15.1.0
Are you affected? Scan for Free

TL;DR

The Fetch-based HTTP stack used in no-axios and minimal bundles treated redirect and body-size ceilings as optional even though higher layers pass them as SSRF and denial-of-service guards during federation and stellar.toml resolution. Federation helpers could initiate lookups against malformed domain shapes before those guards ran consistently across builds. SEP-10 challenge verification could accept signer lists when only server-side material matched instead of proving an intended client signer. WASM metadata parsing could stall or mis-advance offsets while skipping malformed custom sections.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@stellar/stellar-sdk is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 15.0.1.

How to fix this

Upgrade the @stellar/stellar-sdk library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done